Geriatric Microsoft Bug Exploited by APT Utilising Commodity RATs!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

An APT described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organisations in India & Afghanistan, researchers have found.

Disguised as an IT firm, the APT is hitting targets in Afghanistan & India, exploiting a 20-year-old+ Microsoft Office bug that is highly potent .

Government-Themed

Attackers use political & government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT & Quasar RAT for Windows & Android RAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.

The threat group – tracked by Cisco Talos from the beginning of the year through the summer – disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers stated.

Memory Corruption

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as 2 years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator & infector in the reconnaissance phase of the 2-step attack, followed by a 2nd phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers explained.

Fool Victims

To host the malware payloads, the threat player registered multiple domains with political & government themes used to fool victims, particularly ones linked to diplomatic & humanitarian efforts in Afghanistan to target entities in that country, researchers outlined.

“This campaign is a classic example of an individual threat actor employing political, humanitarian & diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,” Cisco Talos’ Asheer Malhotra wrote in the post.

Out-of-the-Box Benefits

The campaign reflects an increased trend by both cyber-criminals & APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers revealed.

Using commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution & data exfiltration, researchers noted. The RATs also “act as excellent launch pads for deploying additional malware against their victims,” Malhotra wrote.

Custom Malware

Using commodity malware also saves attackers both the time & resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers surmised.

In their post, researchers broke down the 2-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they observed, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution & credential stealing.

Initial Infection & Reconnaissance

The infection chain consists of a reconnaissance phase that starts with malicious RTF documents & PowerShell scripts that ultimately distribute malware to victims.

Specifically, the threat player uses the RTF to exploit the Office bug & execute a malicious PowerShell command that extracts & executes the next-stage PowerShell script. That script then base64 decodes another payload – in the case researchers observed, it was a loader executable & activates it on the infected endpoint, Malhotra wrote.

The loader executable begins by establishing persistence for itself using a shortcut in the current user’s Startup directory & then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code – the previously mentioned custom file enumerator & infector researchers found.

File Enumerator

This C# code – which is the final payload in the reconnaissance phase – contains the file enumerator, which lists specific file types on the endpoint & sends the file paths to the command-&-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.

“These modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,” he wrote.

Attack Phase

Researchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they explained.

To do this, attackers tweaked the reconnaissance process slightly to use the 2nd-stage PowerShell script to create a BAT file on disk, researchers stated. That file, in turn, would execute another PowerShell command to download & activate the RAT payload on the infected endpoint, retrieving it from 1 of the sites attackers set up.

“So far, we’ve observed the delivery of 3 types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, Quasar RAT & a legitimate copy of the remote desktop client AnyDesk,” Malhotra wrote.

Last Payload

The use of the last payload “indicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,” according to the write-up.

The tactics of the APT used in the campaign demonstrate “aggressive proliferation” as the goal, as the use of out-of-the-box malware combined with customised file infections gives them a straightforward point of entry onto a victim’s network, Malhotra observed.

“Organisations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,” he wrote.

However, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers concluded.

Virtual Conference November 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds